[security] OAuth state parameter is never validated in GitHub/Google callbacks — CSRF protection is non-functional

[MehtabSandhu11]

In apps/backend/src/routes/auth.ts, the state query parameter is generated during the OAuth redirect but never verified in the callback handlers. The callback simply ignores state:

app.get('/github/callback', async (request, reply) => {
  const { code } = request.query; // state is never read or checked
  ...
});

This makes the CSRF protection completely non-functional. An attacker can initiate a forged OAuth flow and the server will accept it regardless of state.

Expected behaviour

The callback should verify that the state returned by GitHub/Google matches the one sent in the original redirect. Typically this is stored server-side (Redis) or in a signed cookie before the redirect.

Proposed fix

Store the generated state in a short-lived signed cookie before redirecting, then verify it matches in the callback before processing the token exchange.

Files to touch

• apps/backend/src/routes/auth.ts
  ASSIGNMENT REQUEST — add this at the very bottom of the issue body:

---

I would like to work on this issue as part of GirlScript Summer of Code 2026 (GSSoC'26). I have reviewed the codebase and understand the root cause and the fix required.

Could you please assign this issue to me?

GitHub: @MehtabSandhu11

Thank you!

[prashant2007-wq]

Hi @MehtabSandhu11,

I would like to work on this issue under GSSoC 2026.

I have reviewed the issue and understand that the current OAuth flow generates a state parameter during GitHub/Google redirect but does not validate it in the callback handlers. This makes the CSRF protection incomplete because the callback accepts the OAuth response without confirming that it belongs to the same login request.

Approach

I will fix this in apps/backend/src/routes/auth.ts by implementing proper OAuth state validation.

My approach will be:

1. Generate a cryptographically secure random state value before redirecting the user to GitHub/Google OAuth.
2. Store the generated state in a short-lived signed HTTP-only cookie before redirect.
3. Include the same state value in the OAuth authorization URL.
4. Update both GitHub and Google callback handlers to read the returned state.
5. Compare the returned state with the stored signed cookie value before processing the token exchange.
6. If the state is missing, expired, or mismatched, return a 400 Bad Request response and stop the OAuth flow.
7. Clear the state cookie after successful validation to prevent replay/reuse.
8. Test valid login flow and invalid/missing state callback cases.

This will ensure that the OAuth callback belongs to the original login request and will protect the OAuth flow from CSRF attacks.

Please assign this issue to me.

[tech-dipesh]

/assign gssoc

[anshul23102]

Hi, I would like to work on this security fix. I can confirm the OAuth state parameter is generated in both /auth/github and /auth/google but is never validated in the callbacks, making CSRF protection non-functional. I plan to fix this by storing the state in a short-lived signed cookie before redirecting and validating it in the callback. Could you please assign this issue to me?

[MehtabSandhu11]

@anshul23102 , this is not the way man. I have asked to be assigned and you just make PRs like that.

[anshul23102]

@MehtabSandhu11, Sorry man, that was my mistake, I accidentally opened the PR before waiting for assignment. I’ve closed it now. Won’t happen again.

[Harxhit]

@MehtabSandhu11 I have assigned the issue to you.